macOS Server 5.2 Port Forwarding

I would suggest some of the services you list you would not actually want to make accessible. In particular you should not make Server Administration available via the Internet and in most cases would not want or need DNS to be accessible to the Internet.

With regards to DNS it is more common to have separate DNS servers for internal use and external use. The external DNS server is often run by an Internet or domain name company for you. You may even have different domains in use both externally and internally. It is possible to use the same domain both internally and externally and this is referred to as a 'split horizon' domain configuration.

For your information the port for allowing DNS access - should you chose to allow this is port 53 over both TCP and UDP.

For Calendar server the ports are 80 and 443 over just TCP.

For Mail server the ports are 25, 465, 587, 143, 993, 110, 995 all over just TCP.

As mentioned I do not recommend allowing Internet connection to remotely administer Server.app however I believe the ports it would require are 311 and 625 both just over TCP.

The ports need to be forwarded to the server.

Using Apple's Reachability test feature in Server.app may also need certain ports open. The communication is initiated from the client end i.e. the Server.app end and therefore replies will get back to it without needing port forwarding (for reachability).

I could not find for certain which ports Apple's Reachability test uses for communicating with the Apple server but you certainly need to allow out-bound access to the entire 17.0.0.0 subnet which is all owned by Apple. Some sites restrict outbound access as standard which maybe a contributor to this sort of problem.

Having Reachability blocked will not prevent the services form working merely that Server.app cannot report properly. You can turn Reachability testing off.